server adminstration

Setting up your Linux VPS: Initial steps

published on

When you first get access to your VPS that you ordered you will start with a blank slate. The flavour of linux that you chose will be installed but nothing else will be.

Every system will be slightly different depending on your needs and the flavour of Linux that you choose. You may even choose not to use Linux in which case this article might not be of interest to you.

In this article I am going to show you the steps I take on my Ubuntu servers. I've chosen Ubuntu as it is easy to set up and makes a good introduction into the world of servers.

Getting started

First you will want to make sure the system is up-to-date. Run the following command to upgrade any packages that are out of date: apt update && apt upgrade

Next I tend to make sure the hostname, timezone and locale are set how I like them. I do this with the following commands (where [hostname] is whatever I wish to cal that server):

hostnamectl set-hostname [hostname]
dpkg-reconfigure tzdata
apt install language-pack-en
update-locale LANG=en_GB.UTF-8 LC_MESSAGES=en_GB.UTF-8

I then tend to install some packages which I find I generally need at some point. You may find that some of these are already installed.

apt install nano ca-certificates apt-transport-https software-properties-common man curl pwgen unzip dnsutils nmap

Once I've done this I move on to cleaning up any old packages by running: apt clean && apt autoremove.

Setting up a new user

Remember that, when you log in for the first time, you will be root. It isn't a good idea to keep using the root account as it can be quite dangerous.

My next task, therefore, is to set up a new user. This can be done with the following instructions (where [username] is the name you wish your new user to be):

adduser [username]
usermod -aG sudo [username]

After adding the new user I will open a new SSH connection and test to make sure that I can log in with this new username.

Configure SSH

Once you have confirmed that you can log in to the new user account you can exit out of the root account login.

Now I will configure SSH to make it a little more secure. This can be done by editing the sshd_config file found in /etc/ssh like so:

sudo nano /etc/ssh/sshd_config

Once the configuration file is open I make a few changes:

Look for the line with Port 22 on it and change it to a random number below 65535. This will be the new port that you connect to your server through SSH on.

  • Under the Port line I add Protocol 2. This forces SSH v2 which is more secure than v1.
  • I find and set PermitRootLogin to no
  • The maximum number of attempts at entering the password can be changed on the MaxAuthTries line (for those times where you mistype your password). Don't set this too high as it so gives an attacker multiple attempts.
  • I will make sure that PermitEmptyPasswords is set to no and UsePam is set to yes.
  • At the very end of the file I add AllowUsers [username] where [username] is the user I created earlier. This makes sure that only that user can log in via SSH. Multiple users can be added if that is what you need.

Remember that any line that starts with a # is a comment. You might need to delete this character to make active that command.

Once I've done this I save and exit the editor. I now test the configuration with sudo sshd -t and. if everything works fine, restart the SSH server by running sudo systemctl restart sshd.

If you are already running a firewall at this point make sure to add the port you specified above to the allow list.

Once this is all done I will open a new SSH connection to make sure that I can connect with my new user at the new port.

Setting up SSH keys

Now I have made things a little more secure I will configure SSH to only allow logins when the user has the necessary key file. This is more secure than allowing passwords.

These instructions are for Windows users (like me) who wish to connect to their Linux server.

  • If you haven't already, and you don't have a key you wish to use, download and install Putty. Open PuttyGen and select either an RSA 4096 or ED25519 key and choose Generate. Add a comment to help you remember what this key is for and enter a password to protect the key. Now save the private and public keys somewhere safe.
  • On your VPS (making sure to be logged on as the user who will use the key) type the following commands:mkdir ~/.ssh, sudo chown [user]:[user] ~/.ssh and finally sudo chmod 700 ~/.ssh.
  • Back in Windows copy everything that is in the PuttyGen box that displays your public key. On the VPS add your public key to the authorized keys file using sudo nano ~/,ssh/authorized_keys. Now paste your key in and save and exit the file. Type sudo chmod 600 ~.ssh/authorized_keys at the command line.
  • Return back to Windows for a moment. Open Putty and enter the IP or domain name you use to connect to your VPS. Make sure the port matches what is in the SSH configuration file. On the left choose SSH then Auth then click on Browse to locate the private key you saved earlier.
  • Try to connect to your VPS. If it works return type sudo nano /etc/ssh/sshd_config and change the PasswordAuthentication line to no. This will disable password access and means that people can only connect with a key. Now restart SSH with sudo systemctl restart sshd.

Adding a firewall

Firewalls are necessary to protect your server from online bots and other threats that try to find weaknesses that would allow them to take control of your server.

There are a number of different firewalls that can be installed but, for the purposes of this tutorial, I will be using the Uncomplicated Firewall (UFW).

UFW is usually already installed on Ubuntu but if not run sudo apt install ufw to install it.

A basic installation of UFW involves the following:

ufw default deny incoming
ufw default allow outgoing
ufw allow [SSH port number]
ufw logging low
ufw enable

The first two lines set up default rules in case no other rules match; the third line allows traffic from whichever port you are using for SSH (or port 22 if it has been left at it's default); the fourth line sets up some logging and the last line enables the firewall.

Further instructions on how to use UFW can be found in 'Protecting your server with the UFW firewall on Ubuntu'.

Banning multiple failed login attempts

In order to further protect your server - particularly against multiple attempts to get access to your system - run the following three commands:

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo cp /etc/fail2ban/jail.{conf,local}

The configuration file will need updating so run sudo nano /etc/fail2ban/jail.local and:

  • Find the [sshd] line and add enabled=true and port=[ssh port] on seperate lines (where [ssh port] is the port that SSH listens on).
  • Find the bantime line and set it to the period to ban the IP for.
  • Find the findtime line and change it to findtime=10m.
  • Find the maxretry line and change it to maxretry=3.

This will mean that if fail2ban detects 3 failed logins over a 10 minute period it will ban the IP that has made those attempts for the period of time found on the bantime line.

Now find the action = line and change it to either action = %(action_mw)s (if you would like to be emailed a whois report for every banned IP) or action = %(action_mwl)s (if you would also like to see relevant logs).

Finally, find the destemail and sender lines and add email addresses to send to and from respectively.

Once done run sudo systemctl restart fail2ban to allow the changes to take effect.

Automated upgrades

Running sudo apt install unattended-upgrades is usually enough to enable security updates to be automatically installed if found.

Adding malware protection

It is important to scan your server for malware and keep it clean. To do this you can install ClamAV and RkHunter.

Installing ClamAV is as simple as running the following commands:

sudo apt install clamav clamav-daemon
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

In order to check the entire server run sudo clamscan -r /. Bear in mind that this will take some time as it is scanning the entire file system.

To install RKHunter run sudo apt install rkhunter. It is important to make some changes to the configuration file which are shown below. To do this run sudo nano /etc/rkhunter.conf.

  • Find, and update, the update_mirrors line to read update_mirrors=1.
  • Find, and update, the mirrors_mode line to read mirrors_mode=0.
  • Find, and update, the allow_ssh_root_user line to read allow_ssh_root_user=no.
  • Find, and update, the allow_ssh_prot_v1 line to read allow_ssh_prot_v1=0.
  • Find, and update, the web_cmd line to read web_cmd="".
  • Find the mail-on-warning line and add your email address. This will email you whenever there is a problem provided that mail has been set up.
  • Find the mail_cmd line and uncomment it.

Now run sudo nano /etc/default/rkhunter and change cron_daily_run, cron_db_update and apt_autogen to true.

Finally run the following three commands to update RKHunter and finish the setup process:

rkhunter --update
rkhunter --propupd
rkhunter -C

Another scanner that is worth installing is Maldet. This can be installed using the following commands and a scan can be performed by running sudo maldet -a:

cd ~
wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xvf maldetect-current.tar.gz
cd maldetect-[version]
sudo ./install.sh

where [version] can be found running ls.

Looking after logs

Logrotate is normally already installed but, if not, it can be by running sudo apt install logrotate.  Logwatch can be installed if you would like information from the logs emailed to you. This can be done by running the following commands:

sudo apt install logwatch
sudo mkdir /var/cache/logwatch
sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

After installing Logwatch it will need some configuration. This can be done by running sudo nano /etc/logwatch/conf/logwatch.conf and finding the MailTo and MailFrom lines and adding your email address.

Final thoughts

Servers can be configured in a multitude of ways and this means that not everything above may be relevant to you.

It is also worth remembering that only basic configuration is shown here and you may want to look at all of the options the software provides to ensure that it meets your requirements and protects your server in your particular situation and use - case.